kube-proxy 部署
kube-proxy还是由我们统一颁发一个证书。
1. 创建配置文件
cat > /opt/kubernetes/cfg/kube-proxy.conf << EOF
KUBE_PROXY_OPTS="--logtostderr=false \\
--v=2 \\
--log-dir=/opt/kubernetes/logs \\
--config=/opt/kubernetes/cfg/kube-proxy-config.yml"
EOF2. 配置参数文件
cat > /opt/kubernetes/cfg/kube-proxy-config.yml << EOF
kind: KubeProxyConfiguration
apiVersion: kubeproxy.config.k8s.io/v1alpha1
bindAddress: 0.0.0.0
metricsBindAddress: 0.0.0.0:10249
clientConnection:
kubeconfig: /opt/kubernetes/cfg/kube-proxy.kubeconfig
hostnameOverride: k8s-master
clusterCIDR: 10.0.0.0/24
EOF[root@k8s-master ~]# netstat -tpln | grep 10249
tcp6 0 0 :::10249 :::* LISTEN 1108/kube-proxy
[root@k8s-master ~]# curl 127.0.0.1:10249/metrics3. 生成kube-proxy.kubeconfig文件
生成kube-proxy证书:
# 切换工作目录
cd TLS/k8s
# 创建证书请求文件
cat > kube-proxy-csr.json << EOF
{
"CN": "system:kube-proxy",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
# 生成证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
ls kube-proxy*pem
kube-proxy-key.pem kube-proxy.pem生成kubeconfig文件:
集群参数设置
使用kubectl config这条命令生成kubeconfig证书,逐步生成kubeconfig里面的信息
生成证书的格式和家目录的config内容是一样的
[root@k8s-master ~]# cd .kube/
[root@k8s-master .kube]# ls
cache config这里填充了cluster的信息
KUBE_APISERVER="https://192.168.111.3:6443"
kubectl config set-cluster kubernetes \
--certificate-authority=/opt/kubernetes/ssl/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=kube-proxy.kubeconfig
[root@localhost k8s]# kubectl config set-cluster kubernetes \
> --certificate-authority=/opt/kubernetes/ssl/ca.pem \
> --embed-certs=true \
> --server=${KUBE_APISERVER} \
> --kubeconfig=kube-proxy.kubeconfig
Cluster "kubernetes" set.
[root@localhost k8s]# cat kube-proxy.kubeconfig
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUR2akNDQXFhZ0F3SUJBZ0lVY0tqQnBLWnBOWDBvd1FMZlZYYUhHMmlaYXJrd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1pURUxNQWtHQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFXcHBibWN4RURBT0JnTlZCQWNUQjBKbAphV3BwYm1jeEREQUtCZ05WQkFvVEEyczRjekVQTUEwR0ExVUVDeE1HVTNsemRHVnRNUk13RVFZRFZRUURFd3ByCmRXSmxjbTVsZEdWek1CNFhEVEl5TURNeU5URXhOVGd3TUZvWERUSTNNRE15TkRFeE5UZ3dNRm93WlRFTE1Ba0cKQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFXcHBibWN4RURBT0JnTlZCQWNUQjBKbGFXcHBibWN4RERBSwpCZ05WQkFvVEEyczRjekVQTUEwR0ExVUVDeE1HVTNsemRHVnRNUk13RVFZRFZRUURFd3ByZFdKbGNtNWxkR1Z6Ck1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBeUNRUlZTWmhHUnJaNEV6TjZVbGQKNE9nVFRGVDhjNU95MW1ka24wbVgxYmxDdFRGckNBZ0VQOGdyRTZGVWI1T0k5SU1na3JlUVVvSlVoTGtrVVBIaApURnBzcXA0cmgyVUlKVjJFZ3FPKzNpbUc4NWJtdjBPNE5hb3B2cThCQXZVREZKdWcxOHJYK2ZYeEx5VFE5V0tRCkpmUWNhVmQ4V2FYbWFrMHJhU0JEeDhtNUZpdjEvekV1YmlEZmVCUTJ0NFRvQllkd1k0MmpyN1k3VW95ZVExZlgKTndxUUpjTVFsS1h0c0ZwZGE5T2pycE5PcWkrZHBISXJXYkVBZGhYTkNJZy9odzBuNFJ4OTRFSU0yUVhTWUJOZApMZHpqamU4UFZPenAyVXpnYTZJZ294L3JXRVcvVnA5MTM0YlZGcU0veTJjajB6TnZzS2xJUEVnbENMUE92cUh5ClB3SURBUUFCbzJZd1pEQU9CZ05WSFE4QkFmOEVCQU1DQVFZd0VnWURWUjBUQVFIL0JBZ3dCZ0VCL3dJQkFqQWQKQmdOVkhRNEVGZ1FVSjYzTXZVSlNPbzNDendOSWdsa3dIL2ozTnM0d0h3WURWUjBqQkJnd0ZvQVVKNjNNdlVKUwpPbzNDendOSWdsa3dIL2ozTnM0d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFJdG1ha3M4cy9hYnhSc1Z5NHhmClhEVzlaeHNObFp2dzc2YnhxeTYvem56RW5UV0JyMHdpV0tmRXFtbk5xNE8rdnZxT1hVQklSMVBaamVYY3FYNlIKN2dlMWRmRGE3dVNqNFdYU2tONS9xbG5xMkNKVGxteVFKQUdHcTZpdnIzQ2ppQ0FKWlU4Z0FRTkg0Q2hJc0NlcwpXMy9HQjZ4a2xFdkkydm5pS2w4MEFxK0tXcXg2c0xCbmIrTlFiOW1zOStRN250ZDBveFBOK04wcnpOZ0JVUUwvCldsUUw0b1ZLWDN2VElqVzlEVkRrdVh0YjdzbzJkZ2JXM3FxRy9scUhDb1NYZ3c5bjdab2c0MmNqS0VOSUc5R1AKMnlWUmlMUHRjRVlOYStybXJ2SytncTZ0WWc2MTM4OXpIbXBxY0FvQW1kYVZQUTlsQzlSK1IweVNGNkZmenJmaQpJWG89Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
server: https://192.168.111.3:6443
name: kubernetes
contexts: null
current-context: ""
kind: Config
preferences: {}
users: null本段设置了所需要访问的集群的信息。
使用set-cluster设置了需要访问的集群,如上为kubernetes,这只是个名称,实际为--server指向的apiserver
- --certificate-authority设置了该集群的公钥
- --embed-certs为true表示将--certificate-authority证书写入到kubeconfig中
- --server则表示该集群的kube-apiserver地址
- 生成的kubeconfig 被保存到 kube-proxy.kubeconfig文件
用户参数设置
kubectl config set-credentials kube-proxy \
--client-certificate=./kube-proxy.pem \
--client-key=./kube-proxy-key.pem \
--embed-certs=true \
--kubeconfig=kube-proxy.kubeconfig
[root@localhost k8s]# kubectl config set-credentials kube-proxy \
> --client-certificate=./kube-proxy.pem \
> --client-key=./kube-proxy-key.pem \
> --embed-certs=true \
> --kubeconfig=kube-proxy.kubeconfig
User "kube-proxy" set.
[root@localhost k8s]# cat kube-proxy.kubeconfig
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUR2akNDQXFhZ0F3SUJBZ0lVY0tqQnBLWnBOWDBvd1FMZlZYYUhHMmlaYXJrd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1pURUxNQWtHQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFXcHBibWN4RURBT0JnTlZCQWNUQjBKbAphV3BwYm1jeEREQUtCZ05WQkFvVEEyczRjekVQTUEwR0ExVUVDeE1HVTNsemRHVnRNUk13RVFZRFZRUURFd3ByCmRXSmxjbTVsZEdWek1CNFhEVEl5TURNeU5URXhOVGd3TUZvWERUSTNNRE15TkRFeE5UZ3dNRm93WlRFTE1Ba0cKQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFXcHBibWN4RURBT0JnTlZCQWNUQjBKbGFXcHBibWN4RERBSwpCZ05WQkFvVEEyczRjekVQTUEwR0ExVUVDeE1HVTNsemRHVnRNUk13RVFZRFZRUURFd3ByZFdKbGNtNWxkR1Z6Ck1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBeUNRUlZTWmhHUnJaNEV6TjZVbGQKNE9nVFRGVDhjNU95MW1ka24wbVgxYmxDdFRGckNBZ0VQOGdyRTZGVWI1T0k5SU1na3JlUVVvSlVoTGtrVVBIaApURnBzcXA0cmgyVUlKVjJFZ3FPKzNpbUc4NWJtdjBPNE5hb3B2cThCQXZVREZKdWcxOHJYK2ZYeEx5VFE5V0tRCkpmUWNhVmQ4V2FYbWFrMHJhU0JEeDhtNUZpdjEvekV1YmlEZmVCUTJ0NFRvQllkd1k0MmpyN1k3VW95ZVExZlgKTndxUUpjTVFsS1h0c0ZwZGE5T2pycE5PcWkrZHBISXJXYkVBZGhYTkNJZy9odzBuNFJ4OTRFSU0yUVhTWUJOZApMZHpqamU4UFZPenAyVXpnYTZJZ294L3JXRVcvVnA5MTM0YlZGcU0veTJjajB6TnZzS2xJUEVnbENMUE92cUh5ClB3SURBUUFCbzJZd1pEQU9CZ05WSFE4QkFmOEVCQU1DQVFZd0VnWURWUjBUQVFIL0JBZ3dCZ0VCL3dJQkFqQWQKQmdOVkhRNEVGZ1FVSjYzTXZVSlNPbzNDendOSWdsa3dIL2ozTnM0d0h3WURWUjBqQkJnd0ZvQVVKNjNNdlVKUwpPbzNDendOSWdsa3dIL2ozTnM0d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFJdG1ha3M4cy9hYnhSc1Z5NHhmClhEVzlaeHNObFp2dzc2YnhxeTYvem56RW5UV0JyMHdpV0tmRXFtbk5xNE8rdnZxT1hVQklSMVBaamVYY3FYNlIKN2dlMWRmRGE3dVNqNFdYU2tONS9xbG5xMkNKVGxteVFKQUdHcTZpdnIzQ2ppQ0FKWlU4Z0FRTkg0Q2hJc0NlcwpXMy9HQjZ4a2xFdkkydm5pS2w4MEFxK0tXcXg2c0xCbmIrTlFiOW1zOStRN250ZDBveFBOK04wcnpOZ0JVUUwvCldsUUw0b1ZLWDN2VElqVzlEVkRrdVh0YjdzbzJkZ2JXM3FxRy9scUhDb1NYZ3c5bjdab2c0MmNqS0VOSUc5R1AKMnlWUmlMUHRjRVlOYStybXJ2SytncTZ0WWc2MTM4OXpIbXBxY0FvQW1kYVZQUTlsQzlSK1IweVNGNkZmenJmaQpJWG89Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
server: https://192.168.111.3:6443
name: kubernetes
contexts: null
current-context: ""
kind: Config
preferences: {}
users:
- name: kube-proxy
user:
client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQzakNDQXNhZ0F3SUJBZ0lVTEpkekRDNFJKcDF6Y3haRTJmaUNWSkJ0elowd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1pURUxNQWtHQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFXcHBibWN4RURBT0JnTlZCQWNUQjBKbAphV3BwYm1jeEREQUtCZ05WQkFvVEEyczRjekVQTUEwR0ExVUVDeE1HVTNsemRHVnRNUk13RVFZRFZRUURFd3ByCmRXSmxjbTVsZEdWek1CNFhEVEl5TURNeU5URXpORE13TUZvWERUTXlNRE15TWpFek5ETXdNRm93YkRFTE1Ba0cKQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFVcHBibWN4RURBT0JnTlZCQWNUQjBKbGFVcHBibWN4RERBSwpCZ05WQkFvVEEyczRjekVQTUEwR0ExVUVDeE1HVTNsemRHVnRNUm93R0FZRFZRUURFeEZ6ZVhOMFpXMDZhM1ZpClpTMXdjbTk0ZVRDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTHVsamJ1TDF6VTMKdmZPbmhjWERwWFpRRVpvY1Z5Y2NYTVdRWkg1RHJYRlpwR29NSmFBTjRhMm9YUnFsVWVWSGZpeWlBVU1zZm03cwp3bmFyOTFtS0d2NUEvZzlZRm5IV2h1MnUyNWRUUElRRVVpK0JkWU02aUZwV2w0UzdYT1RrYmdqUmdnTUQyckduCld6bHlyM0w0K1pCT3U2OUcydzFTdnlQaG84cU9mU0cxZTZCR1RNRUxuL0h6cUJENWVXcUlDNjdHdDU3V1h4RFIKVWErdzZTaUVrSTlCVTA5MlI2eVJRd3puamxDSGo3TVJJTXBSZzdDSmpERmdtZFRscndpZFNIOENnZnQyVkZ5NQpLejR1RU5sTER5NkdDK0hPaG5qRklRSjVXanVLRHRMSkMxc3pKRG01L0JvajZsVWIzM294V3Z4eGFvRTJPN01YCjhSdXNCRWtpY2RrQ0F3RUFBYU4vTUgwd0RnWURWUjBQQVFIL0JBUURBZ1dnTUIwR0ExVWRKUVFXTUJRR0NDc0cKQVFVRkJ3TUJCZ2dyQmdFRkJRY0RBakFNQmdOVkhSTUJBZjhFQWpBQU1CMEdBMVVkRGdRV0JCU1lRYktiNHlHRgo1dTRlamh4eldKUDVSakxtckRBZkJnTlZIU01FR0RBV2dCUW5yY3k5UWxJNmpjTFBBMGlDV1RBZitQYzJ6akFOCkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQWFsWXNDZlFheEJOZU11ckRrZFZMNjk4VmxlZGRpQ2FjRGhlQWIyeGkKeW1QVUtTY3d2UEk0WW1oTVFDemhrRjd2N1BVdlVkKzFBTFNmOHRpM212Y25rREp0WFB3cXM1b3VYRE94OCs0UwpVbzVEZzd6MkcvTkU0SWpjQUtWbHNrbGdPU3V4eDBFbCtWbU1DUllMWG9yZjAyRTlIYUlHbk9rUEJBa0hrMEljCnY5YmR2YjNsalJJWndQT25tT2M4eml5YjVkZTlTNm4zaG5kRGdpR1l4SUVmNEpFQjFMME90RU9wSEl4bTQzWW4KaVA2MnVVclhuS3RxcWdNT201YWFHUEY2VGQ2RGlNSndBR2hYNUdZdERZSkc2OGhtN3ZHWmNrektTRVpVTng4ego4WDFJMC8wWkRiVWxZcWlqblF1Z3JFSXMzaVNoeU5NLzE3N2ZkRlFmTkFBWE5BPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcFFJQkFBS0NBUUVBdTZXTnU0dlhOVGU5ODZlRnhjT2xkbEFSbWh4WEp4eGN4WkJrZmtPdGNWbWthZ3dsCm9BM2hyYWhkR3FWUjVVZCtMS0lCUXl4K2J1ekNkcXYzV1lvYS9rRCtEMWdXY2RhRzdhN2JsMU04aEFSU0w0RjEKZ3pxSVdsYVhoTHRjNU9SdUNOR0NBd1Bhc2FkYk9YS3Zjdmo1a0U2N3IwYmJEVksvSStHanlvNTlJYlY3b0VaTQp3UXVmOGZPb0VQbDVhb2dMcnNhM250WmZFTkZScjdEcEtJU1FqMEZUVDNaSHJKRkRET2VPVUllUHN4RWd5bEdECnNJbU1NV0NaMU9XdkNKMUlmd0tCKzNaVVhMa3JQaTRRMlVzUExvWUw0YzZHZU1VaEFubGFPNG9PMHNrTFd6TWsKT2JuOEdpUHFWUnZmZWpGYS9IRnFnVFk3c3hmeEc2d0VTU0p4MlFJREFRQUJBb0lCQVFDajA5eTBlMWovUzVWNgpIeTU2QldCMnRWMUkwYWw5cWhPTklZMjdkMWI4ZWFsRU5TcThYS0pHUFpKYjZ5NWZJVllWbmJQQWRCNUd0a3JwCjFTWDFkTkF3WDRudzE1VncrajEvVW9UQno1Z3NJcUdtZkQ2ZXZnSEI3WXdJQkpVTCtpdmZZeHRCaXFIckxSUkcKU2N6SWNudGc5SHlFZ1RaS29ZM2p3K0ordkh5ZmFoWmk1SDlxZWNBTFY2SlV3cldYa1dYTEhvVzdnYTIyU2RkTQpvZ0Z6MThNemlyNmlmYUhYQ1pGOUtTeWJLQXkxcXNSY2psNFVhZlgyR3R1c3o4OE1PZkJHRDFvWlM1WlhBMWFHClpON0krWmNESlFtRVBZeXNLZVgvZHZ4RG56clV6N1ZjL0RFdUpXVEJmS1BrOTliSy9QZHJjdFc4WUZrUVBuNlkKR1ZVbG1mSEpBb0dCQU9TTDQwczYvYTRvNnduK0o1YWk5UHo0NzFXdlpta2xCc1R6RmJlWXhqdDBPeC9WZmRlUgp4a1lnc3FXbEZacTRjdzd2OHFWa2VXdGhZZHc4V0ZRQ0YzSjVOSzVsNUVrYTFPRkx3L0ZYeVpqMEJ4dFk2dUtxCm05a1lVSTY5dHFtZ25rRE5LNk5GcXJmNUFzZTlmMnJZZGp3eThhRTEyOE5QRDFRWG5kN1BjSmxUQW9HQkFOSXYKOFg4SlFkZUd1b3VzbHpGY21sT0hZNy9ySUg2dm5jaVpLbGFOM2l5dU9RL2lRSUZvVlA2RmFsU3pRMUhCYWV0WAp4SkkwOE1vdk1SRURSN0czUHZrRTYzaW1RRnR3bUJIakwvYVdHQXJ4NFhjekxhTStMRFROMmdpa0dZQ3ZTLzBIClY2M2M3MUVnazh6eEJlbGQ0S2dCbzZWQklBeTlxVCtPenBCSlI2YWpBb0dBVDlMMEhsQ0tUZ3dJbThMalBOL0oKeFptRXJsN0czQzZNZ0xtT2VrT242UmdkbG03UXR6dzVEa0ZaWkRXV3FDV0lPazFnYUpnQk9Kb1l2ZjF0dEZuTwpxckxlelpMVSt4dWVBdHFkbzJ2UUE5WW5yVXVQTG4vOFV3VUZEZllCR0puNjdCTTlESmZHbXQ4a00zTmlUNFV2Ck5yTnNaYXdVQjlGVFAwSElhQXYzL2ZVQ2dZRUFvMktoVng3YkQ2NnJVK2ZWbjRsY2JaSFErRjdONDZ5ZitrOFYKbWpLdGdnM3NUV3lTdUFWaURIZXBNQzRwSm1ReThiNUlEMThYemhMaEVWaDdZcW9QU1lPSmh6KzB4MSsrMWlqRQpIK3FNeGZWQVRtaDZFV3RDOGNrU3M2VGNMaXdWNVpyUGpWY3dzTitpQksxVzZ4RU9rWXEwcXNEMUtQSkZuaUprCmI4U0c3Z0VDZ1lFQXRGUDRaSXhSbWRreXUycDJveDVHQUlITWZKOERjMXZwUGhXcFhCeHZINWZvTmpMdW9SaHEKeForbEplMndBZytKUVBXUklTbnpyditMeHMyc2Q1cGcvRFZ3SElGb0o1ZUQrcFpqZUNlY29qcFhFWENIZXVHRAphcWMwSk9reXBkVFQvVTJRVjQ4aUdGYlhQT2ZZdEVDejlTRjVCdEd3M0gwUjJXckJUQ2hXRlBVPQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=本段主要设置用户的相关信息,主要是用户证书。如上的用户名为kube-proxy,证书为:kube-proxy.pem,私钥为:kube-proxy-key.pem。注意客户端的证书首先要经过集群CA的签署,否则不会被集群认可。此处使用的是ca认证方式,也可以使用token认证,如kubelet的 TLS Boostrap机制下的bootstrapping使用的就是token认证方式。上述kubectl使用的是ca认证,不需要token字段。
上下文参数
kubectl config set-context default \
--cluster=kubernetes \
--user=kube-proxy \
--kubeconfig=kube-proxy.kubeconfig
[root@localhost k8s]# kubectl config set-context default \
> --cluster=kubernetes \
> --user=kube-proxy \
> --kubeconfig=kube-proxy.kubeconfig
Context "default" created.
集群参数和用户参数可以同时设置多对,在上下文参数中将集群参数和用户参数关联起来。上面的上下文名称为kubenetes,集群为kubenetes,用户为kube-proxy。
[root@localhost k8s]# cat kube-proxy.kubeconfig
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUR2akNDQXFhZ0F3SUJBZ0lVY0tqQnBLWnBOWDBvd1FMZlZYYUhHMmlaYXJrd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1pURUxNQWtHQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFXcHBibWN4RURBT0JnTlZCQWNUQjBKbAphV3BwYm1jeEREQUtCZ05WQkFvVEEyczRjekVQTUEwR0ExVUVDeE1HVTNsemRHVnRNUk13RVFZRFZRUURFd3ByCmRXSmxjbTVsZEdWek1CNFhEVEl5TURNeU5URXhOVGd3TUZvWERUSTNNRE15TkRFeE5UZ3dNRm93WlRFTE1Ba0cKQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFXcHBibWN4RURBT0JnTlZCQWNUQjBKbGFXcHBibWN4RERBSwpCZ05WQkFvVEEyczRjekVQTUEwR0ExVUVDeE1HVTNsemRHVnRNUk13RVFZRFZRUURFd3ByZFdKbGNtNWxkR1Z6Ck1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBeUNRUlZTWmhHUnJaNEV6TjZVbGQKNE9nVFRGVDhjNU95MW1ka24wbVgxYmxDdFRGckNBZ0VQOGdyRTZGVWI1T0k5SU1na3JlUVVvSlVoTGtrVVBIaApURnBzcXA0cmgyVUlKVjJFZ3FPKzNpbUc4NWJtdjBPNE5hb3B2cThCQXZVREZKdWcxOHJYK2ZYeEx5VFE5V0tRCkpmUWNhVmQ4V2FYbWFrMHJhU0JEeDhtNUZpdjEvekV1YmlEZmVCUTJ0NFRvQllkd1k0MmpyN1k3VW95ZVExZlgKTndxUUpjTVFsS1h0c0ZwZGE5T2pycE5PcWkrZHBISXJXYkVBZGhYTkNJZy9odzBuNFJ4OTRFSU0yUVhTWUJOZApMZHpqamU4UFZPenAyVXpnYTZJZ294L3JXRVcvVnA5MTM0YlZGcU0veTJjajB6TnZzS2xJUEVnbENMUE92cUh5ClB3SURBUUFCbzJZd1pEQU9CZ05WSFE4QkFmOEVCQU1DQVFZd0VnWURWUjBUQVFIL0JBZ3dCZ0VCL3dJQkFqQWQKQmdOVkhRNEVGZ1FVSjYzTXZVSlNPbzNDendOSWdsa3dIL2ozTnM0d0h3WURWUjBqQkJnd0ZvQVVKNjNNdlVKUwpPbzNDendOSWdsa3dIL2ozTnM0d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFJdG1ha3M4cy9hYnhSc1Z5NHhmClhEVzlaeHNObFp2dzc2YnhxeTYvem56RW5UV0JyMHdpV0tmRXFtbk5xNE8rdnZxT1hVQklSMVBaamVYY3FYNlIKN2dlMWRmRGE3dVNqNFdYU2tONS9xbG5xMkNKVGxteVFKQUdHcTZpdnIzQ2ppQ0FKWlU4Z0FRTkg0Q2hJc0NlcwpXMy9HQjZ4a2xFdkkydm5pS2w4MEFxK0tXcXg2c0xCbmIrTlFiOW1zOStRN250ZDBveFBOK04wcnpOZ0JVUUwvCldsUUw0b1ZLWDN2VElqVzlEVkRrdVh0YjdzbzJkZ2JXM3FxRy9scUhDb1NYZ3c5bjdab2c0MmNqS0VOSUc5R1AKMnlWUmlMUHRjRVlOYStybXJ2SytncTZ0WWc2MTM4OXpIbXBxY0FvQW1kYVZQUTlsQzlSK1IweVNGNkZmenJmaQpJWG89Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
server: https://192.168.111.3:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kube-proxy
name: default
current-context: ""
kind: Config
preferences: {}
users:
- name: kube-proxy
user:
client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQzakNDQXNhZ0F3SUJBZ0lVTEpkekRDNFJKcDF6Y3haRTJmaUNWSkJ0elowd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1pURUxNQWtHQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFXcHBibWN4RURBT0JnTlZCQWNUQjBKbAphV3BwYm1jeEREQUtCZ05WQkFvVEEyczRjekVQTUEwR0ExVUVDeE1HVTNsemRHVnRNUk13RVFZRFZRUURFd3ByCmRXSmxjbTVsZEdWek1CNFhEVEl5TURNeU5URXpORE13TUZvWERUTXlNRE15TWpFek5ETXdNRm93YkRFTE1Ba0cKQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFVcHBibWN4RURBT0JnTlZCQWNUQjBKbGFVcHBibWN4RERBSwpCZ05WQkFvVEEyczRjekVQTUEwR0ExVUVDeE1HVTNsemRHVnRNUm93R0FZRFZRUURFeEZ6ZVhOMFpXMDZhM1ZpClpTMXdjbTk0ZVRDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTHVsamJ1TDF6VTMKdmZPbmhjWERwWFpRRVpvY1Z5Y2NYTVdRWkg1RHJYRlpwR29NSmFBTjRhMm9YUnFsVWVWSGZpeWlBVU1zZm03cwp3bmFyOTFtS0d2NUEvZzlZRm5IV2h1MnUyNWRUUElRRVVpK0JkWU02aUZwV2w0UzdYT1RrYmdqUmdnTUQyckduCld6bHlyM0w0K1pCT3U2OUcydzFTdnlQaG84cU9mU0cxZTZCR1RNRUxuL0h6cUJENWVXcUlDNjdHdDU3V1h4RFIKVWErdzZTaUVrSTlCVTA5MlI2eVJRd3puamxDSGo3TVJJTXBSZzdDSmpERmdtZFRscndpZFNIOENnZnQyVkZ5NQpLejR1RU5sTER5NkdDK0hPaG5qRklRSjVXanVLRHRMSkMxc3pKRG01L0JvajZsVWIzM294V3Z4eGFvRTJPN01YCjhSdXNCRWtpY2RrQ0F3RUFBYU4vTUgwd0RnWURWUjBQQVFIL0JBUURBZ1dnTUIwR0ExVWRKUVFXTUJRR0NDc0cKQVFVRkJ3TUJCZ2dyQmdFRkJRY0RBakFNQmdOVkhSTUJBZjhFQWpBQU1CMEdBMVVkRGdRV0JCU1lRYktiNHlHRgo1dTRlamh4eldKUDVSakxtckRBZkJnTlZIU01FR0RBV2dCUW5yY3k5UWxJNmpjTFBBMGlDV1RBZitQYzJ6akFOCkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQWFsWXNDZlFheEJOZU11ckRrZFZMNjk4VmxlZGRpQ2FjRGhlQWIyeGkKeW1QVUtTY3d2UEk0WW1oTVFDemhrRjd2N1BVdlVkKzFBTFNmOHRpM212Y25rREp0WFB3cXM1b3VYRE94OCs0UwpVbzVEZzd6MkcvTkU0SWpjQUtWbHNrbGdPU3V4eDBFbCtWbU1DUllMWG9yZjAyRTlIYUlHbk9rUEJBa0hrMEljCnY5YmR2YjNsalJJWndQT25tT2M4eml5YjVkZTlTNm4zaG5kRGdpR1l4SUVmNEpFQjFMME90RU9wSEl4bTQzWW4KaVA2MnVVclhuS3RxcWdNT201YWFHUEY2VGQ2RGlNSndBR2hYNUdZdERZSkc2OGhtN3ZHWmNrektTRVpVTng4ego4WDFJMC8wWkRiVWxZcWlqblF1Z3JFSXMzaVNoeU5NLzE3N2ZkRlFmTkFBWE5BPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcFFJQkFBS0NBUUVBdTZXTnU0dlhOVGU5ODZlRnhjT2xkbEFSbWh4WEp4eGN4WkJrZmtPdGNWbWthZ3dsCm9BM2hyYWhkR3FWUjVVZCtMS0lCUXl4K2J1ekNkcXYzV1lvYS9rRCtEMWdXY2RhRzdhN2JsMU04aEFSU0w0RjEKZ3pxSVdsYVhoTHRjNU9SdUNOR0NBd1Bhc2FkYk9YS3Zjdmo1a0U2N3IwYmJEVksvSStHanlvNTlJYlY3b0VaTQp3UXVmOGZPb0VQbDVhb2dMcnNhM250WmZFTkZScjdEcEtJU1FqMEZUVDNaSHJKRkRET2VPVUllUHN4RWd5bEdECnNJbU1NV0NaMU9XdkNKMUlmd0tCKzNaVVhMa3JQaTRRMlVzUExvWUw0YzZHZU1VaEFubGFPNG9PMHNrTFd6TWsKT2JuOEdpUHFWUnZmZWpGYS9IRnFnVFk3c3hmeEc2d0VTU0p4MlFJREFRQUJBb0lCQVFDajA5eTBlMWovUzVWNgpIeTU2QldCMnRWMUkwYWw5cWhPTklZMjdkMWI4ZWFsRU5TcThYS0pHUFpKYjZ5NWZJVllWbmJQQWRCNUd0a3JwCjFTWDFkTkF3WDRudzE1VncrajEvVW9UQno1Z3NJcUdtZkQ2ZXZnSEI3WXdJQkpVTCtpdmZZeHRCaXFIckxSUkcKU2N6SWNudGc5SHlFZ1RaS29ZM2p3K0ordkh5ZmFoWmk1SDlxZWNBTFY2SlV3cldYa1dYTEhvVzdnYTIyU2RkTQpvZ0Z6MThNemlyNmlmYUhYQ1pGOUtTeWJLQXkxcXNSY2psNFVhZlgyR3R1c3o4OE1PZkJHRDFvWlM1WlhBMWFHClpON0krWmNESlFtRVBZeXNLZVgvZHZ4RG56clV6N1ZjL0RFdUpXVEJmS1BrOTliSy9QZHJjdFc4WUZrUVBuNlkKR1ZVbG1mSEpBb0dCQU9TTDQwczYvYTRvNnduK0o1YWk5UHo0NzFXdlpta2xCc1R6RmJlWXhqdDBPeC9WZmRlUgp4a1lnc3FXbEZacTRjdzd2OHFWa2VXdGhZZHc4V0ZRQ0YzSjVOSzVsNUVrYTFPRkx3L0ZYeVpqMEJ4dFk2dUtxCm05a1lVSTY5dHFtZ25rRE5LNk5GcXJmNUFzZTlmMnJZZGp3eThhRTEyOE5QRDFRWG5kN1BjSmxUQW9HQkFOSXYKOFg4SlFkZUd1b3VzbHpGY21sT0hZNy9ySUg2dm5jaVpLbGFOM2l5dU9RL2lRSUZvVlA2RmFsU3pRMUhCYWV0WAp4SkkwOE1vdk1SRURSN0czUHZrRTYzaW1RRnR3bUJIakwvYVdHQXJ4NFhjekxhTStMRFROMmdpa0dZQ3ZTLzBIClY2M2M3MUVnazh6eEJlbGQ0S2dCbzZWQklBeTlxVCtPenBCSlI2YWpBb0dBVDlMMEhsQ0tUZ3dJbThMalBOL0oKeFptRXJsN0czQzZNZ0xtT2VrT242UmdkbG03UXR6dzVEa0ZaWkRXV3FDV0lPazFnYUpnQk9Kb1l2ZjF0dEZuTwpxckxlelpMVSt4dWVBdHFkbzJ2UUE5WW5yVXVQTG4vOFV3VUZEZllCR0puNjdCTTlESmZHbXQ4a00zTmlUNFV2Ck5yTnNaYXdVQjlGVFAwSElhQXYzL2ZVQ2dZRUFvMktoVng3YkQ2NnJVK2ZWbjRsY2JaSFErRjdONDZ5ZitrOFYKbWpLdGdnM3NUV3lTdUFWaURIZXBNQzRwSm1ReThiNUlEMThYemhMaEVWaDdZcW9QU1lPSmh6KzB4MSsrMWlqRQpIK3FNeGZWQVRtaDZFV3RDOGNrU3M2VGNMaXdWNVpyUGpWY3dzTitpQksxVzZ4RU9rWXEwcXNEMUtQSkZuaUprCmI4U0c3Z0VDZ1lFQXRGUDRaSXhSbWRreXUycDJveDVHQUlITWZKOERjMXZwUGhXcFhCeHZINWZvTmpMdW9SaHEKeForbEplMndBZytKUVBXUklTbnpyditMeHMyc2Q1cGcvRFZ3SElGb0o1ZUQrcFpqZUNlY29qcFhFWENIZXVHRAphcWMwSk9reXBkVFQvVTJRVjQ4aUdGYlhQT2ZZdEVDejlTRjVCdEd3M0gwUjJXckJUQ2hXRlBVPQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
最后使用kubectl config use-context default来使用名为kubenetes的环境项来作为配置。如果配置了多个环境项,可以通过切换不同的环境项名字来访问到不同的集群环境。
kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig
[root@localhost k8s]# kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig
Switched to context "default".拷贝到配置文件指定路径:
cp kube-proxy.kubeconfig /opt/kubernetes/cfg/4. systemd管理kube-proxy
cat > /usr/lib/systemd/system/kube-proxy.service << EOF
[Unit]
Description=Kubernetes Proxy
After=network.target
[Service]
EnvironmentFile=/opt/kubernetes/cfg/kube-proxy.conf
ExecStart=/opt/kubernetes/bin/kube-proxy \$KUBE_PROXY_OPTS
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF5. 启动并设置开机启动
systemctl daemon-reload
systemctl start kube-proxy
systemctl enable kube-proxyk8s的node节点服务器重启后,启动kube-proxy发现报错
6月 19 09:57:07 node1 kube-proxy[17770]: E0619 09:57:07.022125 17770 proxier.go:1319] Failed to delete stale service IP 10.254.0.2 connections, error: error deleting connection tracking state for UDP service IP: 10.254.0.2, error: error looking for path of conntrack: exec: "conntrack": executable file not found in $PATH
yum -y install conntrack 后重启kube-proxy,问题解决